Policy | Security | Investigation

digital forensics

June 23, 2009

For responsible parties like corporations and government agencies, a reason to retain all their e-mail, text and instant message records is to refute forgeries of e-records. Thorough email archives (including each attachment) provide forensic evidence to invalidate false claims.

Just ask Australia’s prime minister, Kevin Rudd. His political opponents tried to embarrass him with an electronic mail record purportedly from his senior advisor Andrew Charlton. The e-mail appeared to show corruption; it appeared to show Rudd’s government conferring a business advantage to Rudd’s friend John Grant.

But fortunately for the government, it retained its own e-mail records for the time in question. An investigation revealed that the scandalous e-mail was a forgery!

The investigation proceeded in two steps. First it examined the alleged sender’s digital records. “Searches by the Department of Prime Minister and Cabinet and Treasury of Dr Charlton's computer and the system of the public service had found nothing. ‘There have been exhaustive searches conducted on Dr Charlton's computer email system and no such correspondence can be found,’ Mr Rudd said.”

Second, the Australian Federal Police (equivalent to FBI) conducted a forensic analysis of two computers used by the purported receiver of the e-mail. "Preliminary results of those forensic examinations indicate that the email referred to at the centre of this investigation has been created by a person or persons other than the purported author of the email," said the AFP.

This revelation of course played to the Prime Minister’s distinct advantage. He could show that his adversaries had based their attack on misrepresented facts.

The Strategy Lesson: Unless you are a criminal, your e-records are your friend. Had the government been destroying its records quickly, it would not have been so capable of exposing this fraud.

–Benjamin Wright

Mr. Wright is an advisor to Messaging Architects, thought leader on ESI investigations.

December 04, 2008

Do the collection and evaluation of electronic records for use in court require a professional license? In litigation a mistake on this question can surprisingly cause a party to lose a lawsuit.

One Court Rules

A Texas judge ruled the company operating a red-light enforcement camera (Affiliated Computer Services (ACS)) was acting illegally because it did not have a private investigator license. As the operator of the system, the company was involved in collecting and evaluating electronic records for the purpose of presenting findings in court. This case has spawned an uproar statewide, where motorists (such as Jim Ash, citizen of College Station, Texas) are challenging traffic tickets, demanding repayment of fines they’ve paid and complaining about police and politicians who support automated (robo-cop) traffic enforcement.

In effect, motorists are arguing the digital evidence against them should be thrown out of court because it was managed by an investigator who should have been licensed but was not.

Broadly-Worded Texas Legislation

The controversy in Texas is an unintended consequence of recent legislation compelling computer forensics experts get licensed as private investigators under state regulation. Last year the legislature amended the Texas Occupation Code so that Section 1702.104 now reads: "(a) A person acts as an investigations company [which must be licensed] if the person: (1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to . . . the cause or responsibility for . . . loss, accident, damage, or injury to a person or to property. . . . (b) For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public."

In our digital age, this is broad language that might be read to cover data collection and evaluation activities unexpectedly. [*First Footnote] It might cover activities not only in criminal investigations, but also in civil lawsuits like bankruptcies and failed business deals. In Texas the traffic violations in red-light camera cases are often civil law matters, not criminal law.

When the Texas legislature amended the Occupation Code, I'm sure it did not realize it might be forcing local state governments (like the municipality of College Station) to return millions of dollars in revenue from run-of-the-mill, civil law traffic tickets.

On its face, it is unclear whether Section 1702.104 covers the mere searching for and collection of computer data, as distinguished from the review/evaluation/assessment of its content.

Is this Licensure Requirement Wise?

The computer (IT) forensics profession argues that a broad understanding of private investigator (PI) licensure is unwise. In August 2008 the profession persuaded the American Bar Association to pass Resolution 301 urging lawmakers to “refrain from requiring private investigator licenses for persons engaged in:

- computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court; or

- network or system vulnerability testing, including network scans and risk assessment and analysis of computers connected to a network.”

The ABA argues that computer forensics is a separate profession from private investigation and should be treated differently.

Details of the controversy between these two professions vary from state to state. E-discovery professionals should know the PI licensure laws and regulations of the states in which they work.

Update: The Texas Private Security Bureau has weighed in with an opinion on this topic. See my analysis.

Another update: Citizen Jim Ash believes he has found evidence that the contract between the camera company in his case (American Traffic Solutions or ATS) and the city of College Station violate the Texas legislation enabling automated red-light enforcement. Ash says Texas law forbids the company from being paid based on a per-violation basis. But he reads the contract between ATS and the city as providing such payment.

Update June 2009: Jim Ash has launched a referendum [**Second Footnote] drive to ban red light cameras from College Station. In just a couple of weeks, he has amassed 744 of the 850 voter signatures he needs to get the measure on the ballot.

–Benjamin Wright

*First Footnote: One of the reasons Section 1702.104 has attracted notoriety is that, in enforcement of the Section, the Texas Private Security Board reportedly sent letters to Geek Squad (!). The letters warned the intrepid computer repair guys not to learn about child, spouse or employee use of the computers they are fixing.

**Second Footnote: When I originally wrote about Jim Ash's voters' effort in College Station, I called it a "referendum," not having researched or thought about the technical difference between a referendum and a petition initiative under the city's charter or under the Texas law of municipalities. I have since learned that the effort is a "petition initiative," not a referendum.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.